CVE-2023-0402

The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete post meta information and reset network access tokens.
Configurations

Configuration 1 (hide)

cpe:2.3:a:warfareplugins:social_warfare:*:*:*:*:*:wordpress:*:*

History

25 Jan 2023, 21:29

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
First Time Warfareplugins social Warfare
Warfareplugins
CPE cpe:2.3:a:warfareplugins:social_warfare:*:*:*:*:*:wordpress:*:*
References (MISC) https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2844092%40social-warfare&new=2844092%40social-warfare&sfp_email=&sfph_mail= - (MISC) https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2844092%40social-warfare&new=2844092%40social-warfare&sfp_email=&sfph_mail= - Patch, Third Party Advisory
References (MISC) https://plugins.trac.wordpress.org/browser/social-warfare/trunk/lib/options/SWP_Options_Page.php?rev=2364155#L923 - (MISC) https://plugins.trac.wordpress.org/browser/social-warfare/trunk/lib/options/SWP_Options_Page.php?rev=2364155#L923 - Exploit, Third Party Advisory
References (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc4ba2c-32eb-46c5-bb40-7c0150fc1ca4 - (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc4ba2c-32eb-46c5-bb40-7c0150fc1ca4 - Third Party Advisory

19 Jan 2023, 16:50

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-19 15:15

Updated : 2023-01-25 21:29


NVD link : CVE-2023-0402

Mitre link : CVE-2023-0402


JSON object : View

Products Affected

warfareplugins

  • social_warfare
CWE
CWE-862

Missing Authorization